Proofpoint: Security, Compliance and the Cloud

The Associated Press and other media outlets (including the BBC) picked up today on results of a new survey published in the September 23/30, 2009 issue of JAMA (Journal of the American Medical Association), titled "Online Posting of Unprofessional Content by Medical Students." Researchers conducted an anonymous electronic survey of deans of student affairs, their representatives or counterparts at institutions that are a part of the Association of American Medical Colleges during March and April 2009 (78 of 130 organizations responded).

Among the findings, a majority of respondents (60%) reported incidents of med students posting "unprofessional" content online, including "use of profanity" (52%), "frankly discriminatory language" (48%), "depiction of intoxication" (39%) and "sexually suggestive material" (38%). Interesting stuff, but nothing we haven't heard (or seen firsthand amongst our own friends, no?) before.

What makes this report relevant to the world of security, is that 13% of respondents reported that inappropriate posts by med students included "violations of patient confidentiality." Now we're getting somewhere.

As regular readers are no doubt aware, HIPAA regulations in the US (and best practices among medical professionals everywhere) protect patient confidentiality and require that personally identifying information about patients coupled with information about medical procedures, treatments, etc. can't be transmitted electronically without first being encrypted.

I'm not a subscriber to JAMA, so haven't read the full report, but the BBC's coverage noted that most of these privacy violations were via blogs (one on Facebook) and contained "enough clinical detail that patients could be potentially identified."

Looks like American medical colleges have a lot more to do with respect to educating doctors-in-training about data privacy regulations that apply to them...

Of course, Proofpoint's own research finds that healthcare and other data privacy violations are frighteningly common in large US enterprises with 34% reporting that they investigated an email-based violation of privacy or data protection regulations in the past 12 months.

If you'd like to learn more about healthcare privacy regulations and how they affect email use, we recently published an interesting paper on this topic, which you can download from the following link:

Proofpoint Whitepaper: HIPAA and Beyond - An Update on Healthcare Security Regulations for Email, 2009